A former member of the team caused a $5 million hack of the Ankr protocol on December 1, according to an announcement from the Ankr team on December 20.
The former employee carried out a โsupply chain attackโ for putting up malicious code in a package of future updates of the computer's internal software. After this software was updated, the malicious code created a security vulnerability that allowed the attacker to steal the deployment key from the company's server computer.
After Action Report: Our Findings from the aBNBc Token Mining
We just published a new blog post that goes into more depth on this: https://t.co/fyagjhODNG
โ Ankr Staking (@ankrstaking) December 20, 2022
Previously, the team had announced that the exploit was caused by a stolen deployment key which had been used to update the protocol's smart contracts. But at the time, they hadn't explained how the deployer key had been stolen.
Ankr has alerted the local authorities and is trying to bring the attacker to justice. He is also trying to strengthen his security practices to protect access to his keys in the future.
Updatable contracts like those used in Ankr are based on the concept of an "owner account" that has sole authority to manufacture updates, according to an OpenZeppelin tutorial on the subject. Due to the risk of theft, most developers transfer ownership of these contracts to a secure gnosis or other multisig account. The Ankr team says it hasn't used a multisig account for the property in the past, but will from now on, stating:
โThe exploit was possible in part because there was a single point of failure in our developer key. We will now implement multi-signature authentication for updates that will require approval from all key custodians during restricted time intervals, making a future attack of this type extremely difficult, if not impossible. These features will enhance the security of the new ankrBNB contract and all Ankr tokens."
Ankr is also committed to improving HR practices. He will require "escalated" background checks for all employees, even those working remotely, and will review access rights to make sure only workers who need it can access sensitive data. The company will also implement new notification systems to alert the team more quickly when something goes wrong.
The Ankr Protocol Trick was first discovered on December 1. It allowed the attacker to mint 20 billion Ankr Reward Bearing Staked BNB (aBNBc), which was immediately traded on decentralized exchanges for around $5 million worth of coins (USDC) and connected to Ethereum. The team has stated that it plans to reissue its aBNBb and aBNBc tokens to users affected by the exploit and spend $5 million of its own treasury to ensure these new tokens are fully supported.
The developer has also deployed $15 million to HAY repeg stablecoinwhich became unsecured due to the exploit.
Post navigation
Previous Post
Insights from the CFI COVID-19 Survey of ConsumersNext Post
